Method calls always run at compile time. Examples: search, databag, etc
Chef Client resources always run at converge time. Examples: cookbook_file, file, directory, etc
The Chef Client runs through recipes top to bottom, with two layers or phases, always in the following order.
- Compile time
- Converge time
Let's say you have a cookbook_file resource run that is supposed to provide a decryption key for an encrypted databag. Then, you want to use that decryption key to decrypt and read a databag.
# Unintuitively, these steps happen last in the recipe, as they
# occur by default at Converge time
cookbook_file secret_file_path do
source 'encrypted_data_bag_secret'
action :nothing
end
# The following three steps happen first, because they run at Compile time
secret = File.open(secret_file_path)
keyname = data_bag('keyname') #=> ['encryption_key']
data_bag_item('key_content', keyname, secret) #=> "encryption key material"
The order of operations you will see with no changes is first, all compile-time calls. Second, all converge-time calls.
- Compile-time: databag read using an encryption key that is not downloaded yet
- Converge-time: cookbook_file download of the encryption key we needed to make the previous step successful
The above disconnect means that the recipe as presented can never decrypt the contents of the encrypted databag, because the key for the decryption has not yet become available to the data_bag_item method call.
The quickest way to fix the problem outlined is by defining the cookbook_file resource at compile time, rather than converge time, like this:
cookbook_file secret_file_path do
source 'encrypted_data_bag_secret'
action :nothing
end.run_action(:create)